registry  /  flowmind  /  1.5.11

flowmind@1.5.11

Memory and workflow automation for MCP, Codex, and Claude Code. Reuse repeatable developer operations through skills and explicit feedback.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious attack surface is established. The residual risk is agent-extension behavior: runtime FlowMind initialization may auto-import first-party SDD-Agent resources into FlowMind's own ~/.flowmind namespace and expose skills via a package-owned MCP server.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs flowmind CLI, flowmind-codex CLI, or flowmind-mcp server
Impact
Can store user-provided AI/MCP credentials and workflow bindings, and can invoke configured AI/MCP providers when the user runs the tool.
Mechanism
package-owned agent/MCP workflow tooling with home-directory FlowMind config writes
Policy narrative
FlowMind is an agent workflow/MCP package. Its CLI and MCP entrypoints initialize local configuration, optionally collect user-provided AI/MCP settings, and expose package skills. A runtime auto-sync imports existing ~/.sdd-agent data into ~/.flowmind when present, but inspection did not find npm lifecycle hooks or foreign agent-control-surface writes that would trigger a publish block.
Rationale
Source inspection shows dangerous primitives are runtime, user-invoked, or package-aligned rather than install-time hijacking or exfiltration. Because it is agent/MCP tooling with automatic first-party namespace sync on init, warn-level agent extension lifecycle risk is appropriate rather than malicious.
Evidence
package.jsonbin/flowmind.jsbin/flowmind-codex.jsmcp/server.jscore/index.jscore/sdd-agent-sync.jscore/update-notifier.jscore/config-manager.jscore/ai/providers/openai.jscore/ai/providers/anthropic.js~/.flowmind/config.json~/.flowmind/ai-config.json~/.flowmind/resource-config.json~/.flowmind/component-config.json~/.flowmind/learning/resource-bindings.json~/.flowmind/learning/scenes.json~/.flowmind/source/*.flowmind-codex/config.json
Network endpoints9
api.openai.com/v1api.anthropic.comopen.bigmodel.cn/api/paas/v4api.mimo.ai/v1dashscope.aliyuncs.com/compatible-mode/v1aip.baidubce.comapi.deepseek.com127.0.0.1:11434localhost:11434

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • core/index.js auto-runs SDD-Agent sync during FlowMind init when ~/.sdd-agent/resource-config.json exists.
  • core/sdd-agent-sync.js writes imported config/learning/source files into ~/.flowmind and can discover ~/.claude/debug metadata.
  • bin/flowmind.js saves user-provided AI/MCP config under ~/.flowmind during explicit init/resource commands.
  • mcp/server.js exposes FlowMind skills as MCP tools at runtime.
Evidence against
  • package.json has no npm lifecycle hooks, so no install-time execution.
  • No unconsented writes to .claude, Codex, Cursor, MCP config, shell startup, VCS hooks, or OS autostart found.
  • Package-manager execution is limited to explicit update checks/suggestions, not silent installs.
  • Network calls are package-aligned AI/provider, npm version check, or user-configured MCP endpoints.
  • Dynamic require in config-manager loads local flowmind.config.js only as a user config file.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 89 file(s), 650 KB of source, external domains: 127.0.0.1, aip.baidubce.com, api.anthropic.com, api.deepseek.com, api.mimo.ai, api.openai.com, cli.github.com, dashscope.aliyuncs.com, open.bigmodel.cn, yapi.example.com

Source & flagged code

6 flagged · loading source
core/update-notifier.jsView file
1const { execFile, execSync } = require('child_process'); L2: const { promisify } = require('util');
High
Child Process

Package source references child process execution.

core/update-notifier.jsView on unpkg · L1
bin/flowmind.jsView file
matchType = previous_version_dangerous_delta matchedPackage = flowmind@1.5.8 matchedIdentity = npm:Zmxvd21pbmQ:1.5.8 similarity = 0.621 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/flowmind.jsView on unpkg
3388stdio: 'inherit', L3389: shell: true L3390: });
High
Shell

Package source references shell execution.

bin/flowmind.jsView on unpkg · L3388
3568try { L3569: const globalRoot = execSync('npm root -g', { encoding: 'utf-8' }).trim(); L3570: const localPath = require.resolve('../package.json'); ... L3575: const installCmd = isGlobal L3576: ? `npm install -g flowmind@${latestVersion}` L3577: : `npm install flowmind@${latestVersion}`;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/flowmind.jsView on unpkg · L3568
core/honor-engine.jsView file
5L6: const fs = require('fs-extra'); L7: const path = require('path');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

core/honor-engine.jsView on unpkg · L5
demo/common.shView file
path = demo/common.sh kind = build_helper sizeBytes = 579 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

demo/common.shView on unpkg

Findings

1 Critical3 High5 Medium4 Low
CriticalPrevious Version Dangerous Deltabin/flowmind.js
HighChild Processcore/update-notifier.js
HighShellbin/flowmind.js
HighRuntime Package Installbin/flowmind.js
MediumDynamic Requirecore/honor-engine.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperdemo/common.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings